Giving credit to a complex business challenge

Provident has recognized the importance of looking after customer data since it was founded in 1880, but the EU’s General Data Protection Regulation (GDPR) created new challenges for the business around properly managing their records of processing activity, vendor contracts, data subject access rights, and more.

“Before the GDPR went into effect, the privacy team set up workstreams to ensure we had a baseline level of compliance,” added Dronfield. “We soon realized that our processes were disparate and we needed a technology to automate operations and serve as a central repository for our data.”

Investing in a well-rounded solution to manage privacy compliance

Provident wanted to implement an easy-to-use privacy management technology that could serve as a singe source of truth for customer, employee and vendor information. After evaluating multiple vendors in the privacy technology space, Provident selected OneTrust for Data Mapping, Assessment Automation, Vendor Risk Management and Data Subject Rights Management.

Combined, the OneTrust modules automate and support the following Provident initiatives: privacy impact assessments, personal data breach notification processes, third-party supplier due diligence, transfers outside of the EEA, retention schedule changes, legitimate interest assessments, individual rights, records of processing, as well as weekly and monthly reports.

Making OneTrust an integral part of business operations

To roll out the OneTrust platform, Provident hired Tara Halfpenny as its Data Protection Analyst and to serve as the chief subject matter expert for OneTrust within the business. In this role, Tara supports each of Provident’s divisional and group Data Protection Officers, as well as the divisional and Group CISOs in ensuring the OneTrust platform meets each business’ needs and demonstrates accountability and compliance under the GDPR and other regulatory obligations.

“Although I work across the whole business to support individuals in their daily use of OneTrust, there are also core teams that are higher-level users of the platform,” said Halfpenny. “These teams have more needs and requirements to help with their own accountability and compliance under the GDPR and other regulatory bodies.”

For example, Provident’s procurement team uses OneTrust VendorpediaTM as a central repository for all the information they hold on vendors and third-parties. The platform adds value to Provident’s vendor inventory, enabling faster assessment with risk mitigation workflows, ongoing monitoring, and powerful reporting to manage the entire vendor engagement lifecycle, from onboarding to offboarding.

Additionally, Provident has a dedicated Subject Rights Request team that works with the wider business to collect information in the OneTrust platform to help support customer and employee data subject access requests.

To learn how Provident Financial Group implemented OneTrust to power third-party risk management, read the Vendorpedia case study. 

Among Halfpenny’s favorite offerings, each OneTrust release has a dedicated platform upgrade webinar, so if users need more guidance and instruction, they can get a full demo and connect with the support team to ask questions. This is especially important in her role as she’s responsible for rolling the platform out to all departments company wide.

“The other thing about the platform is that I have the freedom to converse with the OneTrust team, including product managers, on what updates and improvements I would like to see in the tool. If OneTrust feels my feedback is useful, they almost always incorporate it into an upcoming release, so other customers and take advantage of it,” she added.

Coining privacy as an ongoing commitment

Since implementing OneTrust, Provident not only has a better understanding of how data is flowing throughout the company but made privacy a competitive advantage for their business.

Provident plans on rolling OneTrust out to more divisions within the business. From there, Halfpenny will help stakeholders mature their understanding of the platform and utilize OneTrust’s reporting capabilities to get more visibility into the business’s privacy posture.

“Our obligations to our customers are our main priority and with OneTrust we not only demonstrate our commitment to their data protection and privacy, but confidently improve our privacy practices to support compliance for current and future regulations,” concluded Dronfield.

To learn how Provident Financial Group implemented OneTrust to power third-party risk management, read the Vendorpedia case study.